A company has got it right. MyFitnessPal suffered a data breach: that’s worrying, but it is how it dealt with it that is impressing privacy experts.
A data breach will happen. Experts on data privacy keep telling us that. Sure, under GDPR, you need to take all reasonable steps to minimise the risk. But what you do when the breach occurs is just as important.
Article 33 of GDPR is unambiguous. It states: “In the case of a personal breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authorities…”
And, according to the ICO, the UK privacy regulator: “If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.”
So what must you do? Following the lead set by MyFitnessPal might be a good idea.
Recently it sent out this message to customers. “We are writing to notify you about an issue that may involve your MyFitnessPal account information. We understand that you value your privacy and we take the protection of your information seriously.
“On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts. The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.”
So that’s a good start. Pretty prompt.
At a recent GDPR summit, Ardi Kolah, privacy expert and Director at the GDPR Transition Programme at Henley Business School pointed out that “There is a gulf between what GDPR expects and the current reality. While Article 32 stipulates that a breach usually has to be reported within 72 hours, research has found the average length of time it takes an organisation to discover they have a data breach is 128 days.” So that is quite a gap, and it needs closing, fast.
“Don’t write a plan in the middle of a crisis”, said Anthony Lee, privacy lawyer and partner at law firm DMH Stallard at the same conference.
Well, this is how the MyFitnessPal note continued: “Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.
“We are taking steps to protect our community, including the following:
“We are notifying MyFitnessPal users to provide information on how they can protect their data.
“We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.
“We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.
“We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.
“We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information. We recommend you:
“Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
“Review your accounts for suspicious activity.
Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
“Avoid clicking on links or downloading attachments from suspicious emails.”
Seems like they deserve pretty high marks out of ten.
To ensure that your organisation addresses the privacy concerns of customers clients and employees attend the next GDPR Summit London on 23rd April. Speakers include, Jim Steven, Head of Data Breach Services, Experian, Gary Brown, GDPR UK Programme Director at Santander UK and Julia Porter, Board Director, DMA. For more information, visit the website.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/